[squid-users] question about squid and https connection .

--Ahmad-- ahmed.zaeem at netstream.ps
Thu Jul 12 22:15:02 UTC 2018


TAHNK YOU Guys ALL .


so my question is in another way is :


if i have squid proxy using it using the TCP_Connect way .

and from the same pc and same browser and try to open facebook from 200 different address .

then facebook wont have a footprint that there is 200 different addresses hit FB from the same public key /cert .

i just ant to make sure there is no footprint happen .

thats way i asked .

let me know concerns Guys , thanks alot Guys ! 

> On 12 Jul 2018, at 23:35, Eliezer Croitoru <eliezer at ngtech.co.il> wrote:
> 
> Alex,
> 
> Just to be sure:
> Every RSA key and certificate pair regardless to the origin server and the SSL-BUMP enabled proxy can be different.
> If the key would be the exact same one then we will probably have a very big security issue/risk to my understanding (leaving aside DH).
> 
> Will it be more accurate to say that just as long as these 200 squid instances(different squid.conf and couple other local variables)
> use the same exact ssl_db cache directory  then it's probable that they will use the same certificate.
> Or these 200 squid instances are in SMP mode with 200 workers...
> If these 200 instances do not share memory and certificate cache then there is a possibility that the same site from two different sources
> will serve different certificates(due to the different RSA key which is different).
> 
> Thanks,
> Eliezer
> 
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
> 
> 
> 
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Alex Rousskov
> Sent: Thursday, July 12, 2018 11:27 PM
> To: --Ahmad-- <ahmed.zaeem at netstream.ps>; Squid Users <squid-users at lists.squid-cache.org>
> Subject: Re: [squid-users] question about squid and https connection .
> 
> On 07/12/2018 01:17 PM, --Ahmad-- wrote:
> 
>> if i have pc# 1 and that pc open facebook .
>> 
>> then i have other pc # 2 and that other pc open facebook .
>> 
>> 
>> now  as we know facebook is https .
>> 
>> so is the key/ cert that used on pc # 1 is same as cert in pc # 2 to decrypt the fb encrypted traffic ?
> 
> Certificates themselves are not used (directly) to decrypt traffic
> AFAIK, but yes, both PCs will see the same server certificate (ignoring
> CDNs and other complications).
> 
> 
> 
>> now in the presence of squid .
>> 
>> if i used tcp connect method  , will it be different than above ?
> 
> If you are not bumping the connection, then both PCs will see the same
> real Facebook certificate as if those PCs did not use a proxy.
> 
> If you are bumping the connection, then both PCs will see the same fake
> certificate generated by Squid.
> 
> 
> 
>> say i used 200 proxies in same squid machine and i used to access FB from the same pc same browser .
>> 
>> will facebook see my cert/key i used to decrypt its traffic ?
> 
> If you are asking whether Facebook will know anything about the fake
> certificate generated by Squid for clients, then the answer is "no,
> unless Facebook runs some special client code to deliver (Squid)
> certificate back to Facebook".
> 
> In general, the origin server assumes that the client is talking to it
> directly. Clients may pin or otherwise restrict certificates that they
> trust, but after the connection is successfully established, the server
> may assume that it is talking to the client directly. A paranoid server
> may deliver special code to double check that assumption, but there are
> other, more standard methods to prevent bumping such as certificate
> pinning and certificate transparency cervices.
> 
> 
> 
>> is the key/cert of FB to decrypt the https content is same on all browsers on all computers ?
> 
> If you are asking whether the generated certificates are going to be the
> same for all clients, then the answer is "yes, provided all those 200
> Squids use the same configuration (including the CA certificate) and
> receive the same real certificate from Facebook". Squid's certificate
> generation algorithm generates the same certificate given the same
> configuration and the same origin server certificate.
> 
> 
> HTH,
> 
> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list